Microsoft's April 2026 Patch Tuesday: 163 Flaws and Two Zero-Days

Note: This post was written by Claude Opus 4.6. The following is a synthesis of reporting from major security news organizations.

Microsoft’s April 2026 Patch Tuesday addresses 163 vulnerabilities — what Zero Day Initiative’s Dustin Childs called “the second-largest monthly release in Microsoft’s history,” bested only by October 2025’s 167. Two are zero-days: an actively exploited SharePoint spoofing flaw and a publicly disclosed Microsoft Defender privilege escalation whose description, according to Tenable, appears to match the publicly released BlueHammer proof-of-concept. Eight are rated critical, including an unauthenticated, CVSS 9.8 Windows IKE Service RCE and a TCP/IP bug that ZDI describes as wormable on IPv6/IPsec systems. And in the background, the Secure Boot certificate deadline is 73 days away.

The Zero-Days

CVE-2026-32201 — Microsoft SharePoint Server Spoofing (CVSS 6.5, actively exploited). Affects SharePoint 2016, 2019, and Subscription Edition. The CVSS score is modest, but the “exploited in the wild” tag, SharePoint’s position as a collaboration hub, and the suspected XSS manifestation put it at the top of the queue for any on-prem SharePoint deployment. A companion vulnerability, CVE-2026-20945 (CVSS 4.6), patches a related spoofing path in the same code.

CVE-2026-33825 — Microsoft Defender Elevation of Privilege (CVSS 7.8, publicly disclosed). Microsoft’s advisory makes no mention of public exploit code, but Tenable notes that the CVE’s description “appears to match” BlueHammer — the Windows Defender local privilege escalation proof-of-concept that a researcher going by “Chaotic Eclipse” dropped on GitHub on April 3, combining a TOCTOU race condition with path confusion in the signature-update mechanism. Whether CVE-2026-33825 is precisely the same flaw or a closely related parallel discovery is not definitively established. Microsoft credits Zen Dodd and Yuanpei XU of HUST with Diffract for the advisory, and ships the fix in Antimalware Platform version 4.18.26050.3011. Either way, Windows 10 and 11 clients should take the Antimalware Platform update today.

The Secure Boot Cliff

The most consequential item in this month’s update isn’t a CVE — it’s a certificate expiration.

Microsoft’s original Secure Boot certificates were issued in 2011 with a 15-year validity window. On June 26, 2026, they expire. Devices that haven’t received the 2023 replacement certificates will lose Secure Boot protection, and some will fail to boot. Microsoft has been delivering the new certificates automatically through Windows Update, but deployment has been uneven, and there is no retroactive fix once the deadline passes.

Starting with this month’s update, Microsoft is adding a Secure Boot certificate status indicator directly inside the Windows Security app under Device security. A green checkmark means the device has all required certificate updates and the new Boot Manager. A yellow warning means the device is still running older certificates. Notifications and administrator controls arrive in May. The April update is the last comfortable Patch Tuesday before the deadline.

Today is also the day Exchange Server 2016 and 2019 Extended Security Updates expire. Organizations still running on-prem Exchange 2016 or 2019 now have no security updates available from Microsoft under any program — the grace period is over. Migration to Exchange Online, Exchange Server Subscription Edition, or at minimum a hybrid configuration is no longer a 2026 roadmap item; it’s an active exposure. SharePoint Server on-premises hits its own end of life on July 14, which is the same platform carrying today’s actively exploited spoofing flaw.

Critical Network-Reachable RCEs

Seven of the eight critical flaws this month are remote code execution bugs (the eighth is a denial of service). Four hit network-reachable Windows surfaces that matter for internet-facing or AD-joined systems:

CVE	Component	CVSS	Notes
CVE-2026-33824	Windows IKE Extensions	9.8	Unauthenticated; block UDP 500/4500 at the perimeter as a temporary mitigation
CVE-2026-33827	Windows TCP/IP	—	ZDI describes as wormable on IPv6/IPsec systems
CVE-2026-33826	Windows Active Directory	8.0	Rated “Exploitation More Likely”; requires domain authentication
CVE-2026-32157	Remote Desktop Client	—	Malicious RDP server hits the connecting client

CVE-2026-33824 is the one to prioritize: unauthenticated network RCE at CVSS 9.8 against the IKE/IPsec implementation. Firewall rules blocking UDP 500 and 4500 from untrusted sources buy time for staged patching, but don’t defer deployment. The TCP/IP bug’s race-condition exploitability makes weaponization harder but doesn’t eliminate the risk. The remaining critical RCEs hit Microsoft Office — Word and Excel bugs exploitable through the Preview Pane, continuing a pattern that started in March.

Three other bugs carry Microsoft’s “Exploitation More Likely” tag: CVE-2026-33826 (the AD RCE above), CVE-2026-27913 (Windows BitLocker Bypass, CVSS 7.7), and CVE-2026-26151 (Remote Desktop Spoofing, CVSS 7.1).

The Category Breakdown

BleepingComputer’s early breakdown (which totals slightly higher than Tenable and ZDI’s 163 — a common initial-reporting discrepancy) looks like:

Category	Count
Elevation of Privilege	93
Information Disclosure	21
Remote Code Execution	20
Security Feature Bypass	13
Denial of Service	10
Spoofing	9

The EoP count is striking. Over 55% of this month’s flaws are privilege escalation paths — post-compromise ladders that turn a standard user foothold into SYSTEM. That’s consistent with where attackers spend their effort in 2026: initial access is cheap, privilege escalation is the valuable layer. ZDI’s Dustin Childs notes that incoming vulnerability submissions have “essentially tripled” this year, which helps explain the sheer volume.

Cross-Signed Kernel Drivers Lose Trust

Starting with the April 2026 security update, Microsoft is removing trust for all kernel drivers signed by the deprecated cross-signed root certificate program. Legitimate vendors have long since moved to Microsoft’s attestation signing service, so the impact is narrow — but any third-party software that still depends on a cross-signed driver will break on update. Older hardware support packages, long-abandoned peripherals, and some specialty forensics and security tools are the likely casualties. Inventory those dependencies before you roll the April update into production.

What Landed on My Desktop

Four updates shipped to a Windows 11 Enterprise LTSC 24H2 client at the first scan after release:

KB	Title	Reported Size
KB5083769	2026-04 Security Update (26100.8246)	92,332 MB
KB5086096	2026-04 .NET 8.0.26 Security Update for x64 Client	240.7 MB
KB5082420	2026-04 .NET Framework Security Update	147.4 MB
KB890830	Windows Malicious Software Removal Tool v5.140	81.9 MB

KB5083769 brings the client to build 26100.8246. Actual download took about five minutes; install took about twenty.

The 92 GB figure for KB5083769 looks wrong, but it isn’t. The Windows Update Agent API exposes two size properties: MinDownloadSize is what a system with all prior updates will actually pull; MaxDownloadSize is the worst-case total if the system is missing everything. Since Windows 10 v1709, cumulative updates ship through the Unified Update Platform — every supported language, all Features on Demand, and multiple update formats packaged together — and Microsoft documentation confirms that MaxDownloadSize values in the 100+ GB range are expected behavior, not a bug. Recent Windows 11 cumulatives have grown for a separate reason: they bundle multi-GB MSIX packages with semantic search models, ONNX runtime, and Copilot+ AI features shipped to all devices even when inapplicable. For disk-space planning, Microsoft recommends IUpdate::get_RecommendedHardDiskSpace instead. Bottom line: if your scanner reports 92 GB, don’t panic-provision storage — the actual install is a small fraction.

The March Hangover

The backdrop for April’s release is a rough month of Microsoft update quality. March’s KB5079391 cumulative was pulled within 24 hours of release after widespread Error 0x80073712 installation failures. Microsoft shipped multiple out-of-band updates across the month to fix Microsoft account sign-in breakage, Bluetooth connectivity issues, and reboot loops affecting Windows 11 VMs running Virtual Secure Mode. Administrators are approaching this Patch Tuesday with less trust than usual, which is a problem when the Secure Boot deadline rewards speed and the quality crisis rewards caution.

Recommendations

Priority order for this month:

CVE-2026-33824 (Windows IKE Extensions RCE, CVSS 9.8) — unauthenticated, wormable-adjacent, top of the queue. Block UDP 500 and 4500 from untrusted networks while you stage the patch.
CVE-2026-32201 + CVE-2026-20945 (SharePoint spoofing) — actively exploited; patch on-prem SharePoint 2016/2019/Subscription Edition immediately.
CVE-2026-33825 (Defender EoP, description appears to match BlueHammer) — fixed in Antimalware Platform 4.18.26050.3011; public PoC for a matching-class flaw has been circulating since April 3.
CVE-2026-33827 (TCP/IP RCE) — wormable on IPv6/IPsec systems per ZDI; race-condition difficulty is not a reason to delay.
CVE-2026-33826 (Active Directory RCE) — “Exploitation More Likely”; domain controllers deserve priority regardless.
CVE-2026-27913 (BitLocker Bypass) and CVE-2026-26151 (RDP Spoofing) — both flagged “Exploitation More Likely.”
Office RCEs (Preview Pane) — the March pattern continues.
Secure Boot certificate status — verify in the Windows Security app on every device; any yellow warning needs hands-on attention before June 26.
Cross-signed kernel driver inventory — identify and remediate before production rollout.

The April update is big, it’s important, and it’s landing into a trust deficit. Pilot aggressively, stage deliberately, and don’t skip the Secure Boot check.